Re: ICMP Security Vulnerabilities - NEW (cough)

[Vic Vandal <vvandal () well com>]

In response to you Chad Loder:


On Thu, 14 Jul 2005, Chad Loder wrote:

> Vic,
>
> I find it interesting that you've gone through the
> trouble of writing a 10 page email in which you
> seem to be claiming partial credit for someone else's
> work, but you have not bothered to include any
> references to substantiate your claims, other than
> a mailing list you can't remember, some private
> conversations on a tangentially related subject
> you've had with associates over the years, and your
> newbie ICMP guide.

There was no real "trouble" in "writing a 10 page email"
as mostly all I did was cut-and-paste something I wrote
10+ years ago that I HAPPENED to have relatively handy.
My only "trouble" is in responding to retarded statements,
one of which is ignorantly outside the original thread.
Guess which one that is!

I explained quite clearly "why" I didn't include those
"references".  Obviously you didn't understand those words.
And is there any real value to such inclusion anyway in
this case?  The content would still be what it is.  I did
"reference" a few RFC's, for the record (as you contradicted
yourself in noting).

The "mailing list" was not one I was ever a member of, nor
did I ask nor was told what it was.  A colleague (who ran an
InfoSec consulting business and a "hacker" lab) with me was
into BSD big-time, had a copy of that guide, and asked me
if he could post it to some BSD mailing list he was on.  I
never asked which one (and didn't care), and gave my OK.  We
never discussed it again, but I did remember that conversation
we had working in the lab some 6-7 years ago.

> Unfortunately your email adds nothing new to the
> discussion and only shows that you did not take the
> time to understand the draft, nor the fixes that have
> been implemented in OpenBSD and Linux.

Whether or not it added anything new to any specific persons,
discussions, etc, I'm sure at least someone learned something
by it being posted.  BTW how could it list fixes implemented
in OpenBSD and/or Linux if it was written before some of
those fixes were implemented?

Also the "guide" was clearly titled as to its intent/content,
which was not "ICMP flaws and fixes".

Exactly what does your post "add new" to anything or anyone?
Ironically, the answer to that is "not a damn thing!"

> Now, regarding your guide to ICMP filtering.  First,
> your guide says nothing about the blind ICMP attacks
> against TCP in Fernando's paper.  Your guide appears
> to be a summary of other information (including guides
> and published exploits) available well before 1994
> (including, for god's sake, the "Security Considerations"
> sections of RFC's published in 1990 and even earlier).

That guide wasn't entitled "blind ICMP attacks against TCP",
which may be one of several reasons there was no mention
of such things in it.

I made it quite clear that the information was "old news",
hence it being "available well before 1994".  Being that
you're such an expert on "old info availability", perhaps
you should include those references you are alluding to.

> In addition, some of the advice in your guide is
> dangerous for basically anyone other than home users
> sitting behind a firewall.  This, too, was widely
> known before your guide was published.

I'll tell you the same thing here that I told Fernando Gont
based on his reply to me.

The text is a "guide", as are ALL "guides", which may not
apply in individual network situations. The fact that you
don't seem to understand that basic concept is certainly
"interesting".

There are implementation details missing from the guide,
but that was "intentional" - as different filtering products
have different syntax, features, and layers of granularity
available.  It assumes one understands the product one is
working with and how to apply the guide to their individual
environment.  There is no "one size fits all" in security
and/or networking in many, many cases.  This is simply one
of those many cases.

> You need to hit the books.

You assume to know what I haven't read or NEED to read,
which is quite an ignorant statement.  What I can say to
that is if I stacked the diversity and depth of my knowledge,
skills, abilities, experience, references, and credentials
against yours, I'll bet good money it won't be "I" that
requires such ignorant advice.  Just because I've never been
very visible in the public domain (under ANY of the names
associated with me, by design) doesn't mean I don't know
and haven't done much.  It is quite the contrary.  I've
been in this InfoSec game professionally since 1989, and
held other computer jobs/interests long before then.

>         -Chad Loder

Freaking retards!  Sheesh!

Vic
(what a waste of time that was, which won't happen again)
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/